Raygun Feature Request

Feature Request

Don't add applications (or users?) to a group by default

Current Status:

Completed


Avatar

Madman

When creating a new application, it gets added with access by the 'Users' group by default. Because of this, we can't easily open access to Raygun up to external consultants or other teams - as we don't want them to be able to see things from all applications (even if only for a moment) - just the ones we give them access to.

Perhaps when creating an application, you should be able to define which groups it was associated with, and by default it gets added to the Users group?


Avatar

Arjen

Posted on
Apr 16 2015

This is a security concern for us as well and frequently bites us in the ass. We've already opened up our organizations Raygun account to a couple of external consultants and people keep forgetting that any application is automatically added to the users group.

It could be as easy as adding a global organization setting 'Add new applications to Users group' that defaults to true. For those organizations that prefer it, this would force people to think about security when creating a new application.

Avatar

Madman

Posted on
Apr 17 2015

For what it's worth, I found that there is also a minor permission cache issue sort-of related to this. If you remove an app from a team (e.g. remove it from the 'Users' team), then it can still be accessed via the direct URL for up to 15 minutes after you remove a user's access to it.

So if I was malicious, and was a consultant who was in the 'Users' team, I could write a small script to constantly query the list of applications, and as soon as I see a new one (all apps go into the 'Users' team until you manually remove them), I would see that application for up to 15 minutes after it was removed from the 'Users' team.

Probably not a biggie, but might be for large clients that have lots of different applications and external consultants that should only have access to certain applications.

Avatar

mkadijk

Posted on
Apr 17 2015

This definitely should be handled as a security issue. Before you know it external contractors are assigned to confidential apps/projects!

Avatar

mdj

Posted on
Apr 17 2015

I totally agree! This is a serious issue that needs attention

Avatar

Raygun

John-Daniel Trask

Posted on
Apr 17 2015

Hi everyone,

Just as a heads up on this request. We will likely ship an improvement next week that allows selecting a team on app creation.

The logic will be that you need to have more than just the 'owners' and 'users' team. If you do, we'll show the team selection drop down on the app creation step of the wizard.

For the time being, you can only pick one team on the app creation flow. If you need more, you can add them later, or if it's common that you need to select more than one please post a note about it here :-)

As mentioned, this will likely ship in the coming week. It's built and going through the testing process internally to get it out for you. I'll post an update once it's live -- I'd love to hear your feedback on the implementation.

I hope that helps!

John-Daniel Trask
Co-founder & CEO
Mindscape

Avatar

Madman

Posted on
Apr 20 2015

Hey John-Daniel,

That's great - sounds like it will work for our use case just fine! Could I suggest either a button that links to the 'Teams' page if you have permission (so you can create a team if an appropriate one doesn't exist), or better yet the ability to create a new team or select an existing team as part of the application creation process.

Cheers, Matt.

Avatar

Alex

Posted on
Apr 20 2015

Hi Guys,

Just letting you know we've added an option to specify the initial team an application is added to when creating a new application. This option will only appear when there are teams in addition to the default 'Users' and 'Owner' teams.

As before all applications will be added to the Owners team.

Feel free to post further feedback on the new flow and we'll take it into consideration when working on this area in future.

Cheers,
Alex